Major Security Risk Hits Yearn Finance yETH Pool
Yearn Finance, the decentralized yield protocol, has once again faced a security incident. The yETH liquidity pool recently experienced irregular trading activity, with a substantial volume of Liquid Staking Tokens (LSTs) withdrawn in a short span. As the primary pool aggregating leading LSTs, the yETH pool is a cornerstone of the Yearn protocol. This incident is a significant concern for the market.
Attack Method: Forged Minting and Instant Pool Drain
On-chain data shows that the attacker deployed a series of custom contracts to mint an unlimited supply of yETH tokens in a single transaction. Using these artificially generated tokens, they exchanged for all LST assets in the pool, resulting in the pool being emptied within seconds. The losses are estimated at several million US dollars.
Following the attack, approximately 1,000 ETH (about $3 million) was quickly transferred into Tornado Cash, complicating efforts to trace the funds. Multiple attack contracts self-destructed after execution, highlighting the attack’s meticulous planning and technical sophistication.
Loss Estimates Await Official Confirmation
Prior to the incident, the yETH pool held roughly $11 million in assets. However, the actual losses require confirmation from Yearn Finance and blockchain security teams, as some ETH may have been consumed or become untraceable during the exploit.
On-chain analyst Togbe was the first to detect the breach, identifying anomalies while tracking large fund movements and bringing the attack to light.
Official Response and Historical Context
(Source: yearnfi)
Yearn Finance announced on X that it is actively investigating the incident. The team emphasized that V2 and V3 Vaults remain unaffected. The protocol has previously faced several security and technical challenges:
- 2021: yDAI Vault vulnerability resulted in losses of approximately $11 million
- 2022: Founder Andre Cronje announced his departure from the project
- Late 2023: A script error reduced treasury assets by 63%, though user funds were not impacted
As of now, Yearn’s team has not released further details from its investigation. The market continues to await additional updates.
To learn more about Web3, sign up here: https://www.gate.com/
Summary
This incident demonstrates that even long-standing DeFi protocols with robust communities and audit histories remain vulnerable to flaws in contract logic, cross-contract interactions, and governance design. Yearn Finance needs to focus not only on fixing vulnerabilities but also on restoring market trust. The broader DeFi ecosystem is reminded that security audits, monitoring systems, and ongoing maintenance are critical for long-term stability. While innovation drives DeFi forward, striking the right balance between speed and security will ultimately determine the sector’s longevity and success.
